This invention pertains generally to network devices and more particularly to granting privileges for the configuration of network devices.
Existing methods for granting privileges for the configuration of network devices have certain limitations. Currently, different levels for privileges are granted to groups of administrators, each group having a common password. One example of such an arrangement is depicted in FIG. 1. Administrators that have permission to use basic command group 101 may be able to use a few commands regarding basic management of a fabric network devices. All those who are involved with the day-to-day management of that device will be given a password appropriate for this basic level. Using the password, these people will be able to invoke the commands of command group 101.
A more restricted number of administrators will know the password for “enable” command group 102, which will allow additional commands, e.g., for the configuration of a fabric network devices. All those with permission to use the commands of command group 102 will also be able to use the commands of command group 101.
An even smaller number of engineers may have the password for an “engineering” command group 103. The engineering group may be sent by a vendor, such as Cisco Systems or the present assignee, to perform special operations such as debugging, etc. All those with permission to use the commands of command group 103 will also be able to use the commands of command groups 101 and 102.
Currently-implemented systems such as the one described above do not provide for keeping a record of what individual administrator performed operations on a particular network device at a particular time. For example, if a particular administrator to whom “enable” status is granted had configured a network device on a particular day, there might be a record that a person having that status had configured the network device on that day. However, there would be no indication of what administrator had made such changes.
The present assignee has developed methods and devices for logically segregating a single physical network into virtual networks. VSANs allow a single fabric of network devices to support and segregate the operations of multiple customers. For example, customer A may be able to access data in certain storage devices connected to the network, whereas customer B may not.
If multiple customers are seeking to administer and configure the same fabric nodes of a particular storage area network, complications may arise. For example, different customers may seek to configure the same device in different ways. Moreover, to provide greater security of the management of a network device, it would be desirable to capture the identity of all persons who have the ability to manage the network device. Knowledge of what person has reconfigured a particular network device may help prevent unauthorized access that could compromise the security or integrity of a network.